MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e2f435485baa82011fb87477cf73d40c87b87a3579b11ea8d3cb22883ad33682. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 20


Intelligence 20 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e2f435485baa82011fb87477cf73d40c87b87a3579b11ea8d3cb22883ad33682
SHA3-384 hash: 6e5f65e084b703d82c40ee1a323396364e445c9302635f0a715c5758902080f3b793b65dd6281b84a2c700c5c97c4328
SHA1 hash: 32e45aa5e82fe1750fcc68b63b70265ba81329dd
MD5 hash: 97700bf189af80e9275bfa549bf09152
humanhash: bluebird-saturn-autumn-violet
File name:Inv# 212-2025.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:854'536 bytes
First seen:2025-09-04 07:52:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:mg2OPJaqojL4elLz6Y5S3VVaFirkUkPeHA35WqOzEBUyBL6p5tC1TC2IEQiw/dNj:m7O0quf0HaUrVgJk9C1TC2IllN7Z2G
TLSH T1DA0512841159DD21C9AD0FB88991D6BA5374AF68BA03E207ADE5FCCF3D7778221092C7
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter lowmal3
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Inv# 212-2025.exe
Verdict:
Malicious activity
Analysis date:
2025-09-04 07:52:57 UTC
Tags:
auto-sch-xml stealer evasion ultravnc rmm-tool netreactor agenttesla
Link:
https://app.any.run/tasks/d933c4c8-2881-404d-aa55-3df93c4536a1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/25001/
Detection(s):
no reply from clamd
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68b94a3feb163e0ec1844d9b
Tags:
injection spawn shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending an HTTP GET request
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 bitmap expired-cert invalid-signature krypt lolbin msbuild obfuscated packed packed reconnaissance redline redline regsvcs rezer0 roboski schtasks signed stealer stego threat unsafe vbc
Link:
https://www.filescan.io/uploads/68b945888d7e23876186ac67/reports/1e7f72fd-9a65-4b09-b05c-394d1086a57a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e2f435485baa82011fb87477cf73d40c87b87a3579b11ea8d3cb22883ad33682
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-04T04:01:00Z UTC
Last seen:
2025-09-04T04:01:00Z UTC
Hits:
~1000
Detections:
Trojan.Win32.Agent.sb HEUR:Trojan.MSIL.Shelpak.gen Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Disco.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb Trojan-Dropper.Win32.Agent.sb HEUR:Trojan.MSIL.Taskun.gen Trojan-PSW.MSIL.Agent.sb Trojan-PSW.MSIL.Agensla.sb HEUR:Trojan.Win32.Generic Trojan.MSIL.Taskun.sb Trojan-PSW.MSIL.Agensla.d HEUR:Trojan-Spy.MSIL.Agent.sb HEUR:Trojan-PSW.MSIL.Agensla.a Trojan-PSW.MSIL.Agensla.g HEUR:Trojan.MSIL.Taskun.sb
Link:
https://opentip.kaspersky.com/e2f435485baa82011fb87477cf73d40c87b87a3579b11ea8d3cb22883ad33682/results?tab=lookup
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/daaf6744-dc39-41e1-8eec-71491b3ddd6d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1770947
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Check if machine is in data center or colocation facility
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1770947 Sample: Inv# 212-2025.exe Startdate: 04/09/2025 Architecture: WINDOWS Score: 100 42 fiber23-R.iaasdns.com 2->42 44 ip-api.com 2->44 50 Suricata IDS alerts for network traffic 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 11 other signatures 2->56 8 Inv# 212-2025.exe 7 2->8         started        12 SxIUVljJ.exe 5 2->12         started        signatures3 process4 file5 36 C:\Users\user\AppData\Roaming\SxIUVljJ.exe, PE32 8->36 dropped 38 C:\Users\user\AppData\Local\...\tmp9706.tmp, XML 8->38 dropped 40 C:\Users\user\...\Inv# 212-2025.exe.log, ASCII 8->40 dropped 58 Adds a directory exclusion to Windows Defender 8->58 14 RegSvcs.exe 15 2 8->14         started        18 RegSvcs.exe 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        60 Multi AV Scanner detection for dropped file 12->60 24 RegSvcs.exe 2 12->24         started        26 schtasks.exe 1 12->26         started        signatures6 process7 dnsIp8 46 fiber23-R.iaasdns.com 206.168.149.58, 49691, 49693, 587 CENTURYLINK-US-LEGACY-QWESTUS United States 14->46 48 ip-api.com 208.95.112.1, 49690, 49692, 80 TUT-ASUS United States 14->48 62 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->62 64 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->64 66 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->66 68 Loading BitLocker PowerShell Module 20->68 28 WmiPrvSE.exe 20->28         started        30 conhost.exe 20->30         started        32 conhost.exe 22->32         started        70 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->70 72 Tries to steal Mail credentials (via file / registry access) 24->72 74 Tries to harvest and steal ftp login credentials 24->74 76 Tries to harvest and steal browser information (history, passwords, etc) 24->76 34 conhost.exe 26->34         started        signatures9 process10
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e2f435485baa82011fb87477cf73d40c87b87a3579b11ea8d3cb22883ad33682
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.27 Win 32 Exe x86
Link:
https://app.malva.re/file/97700bf189af80e9275bfa549bf09152
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e2f435485baa82011fb87477cf73d40c87b87a3579b11ea8d3cb22883ad33682/
Verdict:
Malicious
Threat:
Family.AGENTTESLA
Link:
https://tip.neiki.dev/file/e2f435485baa82011fb87477cf73d40c87b87a3579b11ea8d3cb22883ad33682
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2025-09-04 07:57:58 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4l2dksc3vkbach5yor34646ubsd3q6rvpgyr5kgtzmriqowtg2ba._file
Verdict:
malicious
Label(s):
unc_loader_001
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
error
RedLineStealer
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution persistence
Link:
https://tria.ge/reports/250904-jqx6qacj7s/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3005b8ce-0d64-4dba-85db-645b9170b77b
Unpacked files
SH256 hash:
e2f435485baa82011fb87477cf73d40c87b87a3579b11ea8d3cb22883ad33682
MD5 hash:
97700bf189af80e9275bfa549bf09152
SHA1 hash:
32e45aa5e82fe1750fcc68b63b70265ba81329dd
Link:
https://www.unpac.me/results/f93f41d7-17f2-4e9d-af77-5943a27e3f8c/
SH256 hash:
59f96f6af70822f17293f12cecf4204b1702dffdb89f311638103fd0a5f306f8
MD5 hash:
ed9d2015b3b08b58d4b5502684ab45c6
SHA1 hash:
7834cc95c0556228f109a78edd96c21c6f749ce4
Detections:
win_samsam_auto
Create hunting rule
SUSP_OBF_NET_Reactor_Native_Stub_Jan24
Create hunting rule
MAL_Malware_Imphash_Mar23_1
Create hunting rule
MetaStealer_NET_Reactor_packer
Create hunting rule
MALWARE_Win_RedLine
Create hunting rule
Link:
https://www.unpac.me/results/f93f41d7-17f2-4e9d-af77-5943a27e3f8c/
SH256 hash:
0a6d412c1ecc3101f6e26dcc19a2ef1477756652ce9288286376683d497d1532
MD5 hash:
b59191d328dceef0467fb0cac3e68b1d
SHA1 hash:
858327d790a06046b3dd551da30f5e1962a2861b
Detections:
win_samsam_auto
Create hunting rule
SUSP_OBF_NET_Reactor_Native_Stub_Jan24
Create hunting rule
MAL_Malware_Imphash_Mar23_1
Create hunting rule
MetaStealer_NET_Reactor_packer
Create hunting rule
MALWARE_Win_RedLine
Create hunting rule
Link:
https://www.unpac.me/results/f93f41d7-17f2-4e9d-af77-5943a27e3f8c/
SH256 hash:
4b74a6c0a191f9e59a6f241e6f2eefb4f8252d77c6eaf4cd7026a3f940243526
MD5 hash:
b661ad606c54dff5d62f2daab9c6dc50
SHA1 hash:
ca64893409a9110eb296b68aebbe2db8d3e6c118
Detections:
AgentTesla
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Link:
https://www.unpac.me/results/f93f41d7-17f2-4e9d-af77-5943a27e3f8c/
SH256 hash:
e50b0550616c4ea9dc2d18d75084f50e6e7da2ccaa2c77a439026957105aad8f
MD5 hash:
540148a4209d7e2b88d0e24b919c2834
SHA1 hash:
5a2042f9c9946e57d02d0d4e9a1ba2c5b1246a1e
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/f93f41d7-17f2-4e9d-af77-5943a27e3f8c/
Parent samples :
881aac6c0395e173fe15acd1baf9caf443e73e166176b5040ccdb7e34750ed58
e14543458bbd96f242cc1dbeb9e3ff8c62c592fbe954b6da75fbf7f05aa41a0f
93bba3622d1594eb97ea253dbee9a1d5c495871b73410bccd6c41d7969d3b8a2
a89d88037e6e7321b7da02290aab0139ddf7be1b697388dcc28fba708304682f
e2f435485baa82011fb87477cf73d40c87b87a3579b11ea8d3cb22883ad33682
67b1c7d222568af1d3fe24c18125eac63dad102e029fae7427b7b9a526f63699
2e3c410728b3564bd615f8e6c64a7fc82fd5385542d02d7134d07bcbbc3f9f09
8ece82ad36ddad1e13a955098ea9629364950ed21a1155d7be4921208e62eb0c
26a2714342c817548962d1a9cf5ebb1aacb811c3060fea1269c8280047b8eddf
78f8b46dfdd55f7914e78f925189180f674945327ee3fa9187e2d5de86b15337
a8dabe249da520a24de691d48bf2549dda65bbb3e62cecd148b1ff0080533cac
0cb006d7434c2ffa1b04e4f20a90688e8eb36e82cea2db1641744e235995439b
fcdc9e821a1bd97c87b1c9b9fed76a070f3ff81a0ee0838f49a915336851a029
6b76abca8f35fff263c12beaaf521405a1d3743abde3bc20d8415272b2c5a140
2f76a21937582bd59783cab01437d029a6ccd52635e2a3f424831ad7e444e640
392ec2e0db217dc665b13c2e73b00d0ca2dc3b7f8a47eedf9a715d613e57a464
acfd0a48223c3e021532b6f7cfb12e81ebf2903bd706b9a5d45fb1a020dd7902
9357bf9a67240b9df693123dfcefe78bd468a313243e9ab7769c60eae161f1ad
c3bce19ca32fe499888cec1530bef701ba3d11d7fba776945a2e1245cb162a38
8e7c61db1d4aae49ddbd1ab8586fe752edbd01f30d5214e6e6bc074a3ec05588
a6fc6ac52bb2eb9fbe527ec26f3f21b8a3775660883ccd55976a250910dcee2e
227d7f535bcb6ce158d63d9436429547e9a065b289cf8b0caf8993ddd549190d
SH256 hash:
454b41ff44cae93238964c707df5c0f4563f5c690a189c8f0eafcd92436b6867
MD5 hash:
7b70f8d46513865c7f9b62b9179b7bda
SHA1 hash:
ae57f7cd226ded9bf060bb729f901eec7a9e8910
Detections:
win_samsam_auto
Create hunting rule
SUSP_OBF_NET_Reactor_Native_Stub_Jan24
Create hunting rule
MAL_Malware_Imphash_Mar23_1
Create hunting rule
MetaStealer_NET_Reactor_packer
Create hunting rule
MALWARE_Win_RedLine
Create hunting rule
Link:
https://www.unpac.me/results/f93f41d7-17f2-4e9d-af77-5943a27e3f8c/
Parent samples :
6c0a5cce7cc821d81636aca89eeb21950f7006aa8edf26e67087f86813a1d66a
fe7823ad1c068983e2dbe14c0e39c1231a96731d1eb142e8ba7e2fcdcb2b909a
e2f435485baa82011fb87477cf73d40c87b87a3579b11ea8d3cb22883ad33682
SH256 hash:
f04a71cf338af24c17eb3f64dc4fc92d34840d24accca2b534b047c2a954c3df
MD5 hash:
b98689f40caaa605b7cedb74a9e344a5
SHA1 hash:
bbeac30419999aca0b0aec7ca94d4555b2fcd752
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/f93f41d7-17f2-4e9d-af77-5943a27e3f8c/
SH256 hash:
21dcc84ee225f8671230d381ac350eeb1536e0df20a2448ad80089cc5f61049c
MD5 hash:
07163a97f37b0086d6ad1440359fc363
SHA1 hash:
73fd4fab0a535f548611a05681eabb3a618b5e77
Detections:
AgentTesla
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Link:
https://www.unpac.me/results/f93f41d7-17f2-4e9d-af77-5943a27e3f8c/
Parent samples :
6c0a5cce7cc821d81636aca89eeb21950f7006aa8edf26e67087f86813a1d66a
fe7823ad1c068983e2dbe14c0e39c1231a96731d1eb142e8ba7e2fcdcb2b909a
e2f435485baa82011fb87477cf73d40c87b87a3579b11ea8d3cb22883ad33682
SH256 hash:
7bcce6b5e051576945ca1dcfe9d75cc8b19667c2fb6f982208d65fd03348078f
MD5 hash:
2444f4e94e09aa7578b38e2665342531
SHA1 hash:
d2ea0bc03fa5842e74058a4c8956a6e8125f8f4e
Detections:
AgentTesla
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Link:
https://www.unpac.me/results/f93f41d7-17f2-4e9d-af77-5943a27e3f8c/
Parent samples :
6c0a5cce7cc821d81636aca89eeb21950f7006aa8edf26e67087f86813a1d66a
fe7823ad1c068983e2dbe14c0e39c1231a96731d1eb142e8ba7e2fcdcb2b909a
e2f435485baa82011fb87477cf73d40c87b87a3579b11ea8d3cb22883ad33682
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e2f435485baa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e2f435485baa82011fb87477cf73d40c87b87a3579b11ea8d3cb22883ad33682

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:win_samsam_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

Executable exe e2f435485baa82011fb87477cf73d40c87b87a3579b11ea8d3cb22883ad33682

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/25001/

Comments